Introduction to Information Security - Cengage · Introduction to Information Security ... Amy looked up at the LED tally board on the wall at the end of ... developed the project—which

chapter1

Introduction to InformationSecurity

Do not figure on opponents not attacking; worry about your own lackof preparation.

BOOK OF THE FIVE RINGS

For Amy, the day began like any other at the Sequential Label and Supply Company(SLS) help desk. Taking calls and helping office workers with computer problems was notglamorous, but she enjoyed the work; it was challenging and paid well. Some of her friendsin the industry worked at bigger companies, some at cutting-edge tech companies, but theyall agreed that jobs in information technology were a good way to pay the bills.

The phone rang, as it did on average about four times an hour and about 28 times a day.The first call of the day, from a worried user hoping Amy could help him out of a jam,seemed typical. The call display on her monitor gave some of the facts: the user’s name, hisphone number, the department in which he worked, where his office was on the companycampus, and a list of all the calls he’d made in the past.

“Hi, Bob,” she said. “Did you get that document formatting problem squared away?”

“Sure did, Amy. Hope we can figure out what’s going on this time.”

“We’ll try, Bob. Tell me about it.”

“Well, my PC is acting weird,” Bob said. “When I go to the screen that has my e-mail pro-gram running, it doesn’t respond to the mouse or the keyboard.”

“Did you try a reboot yet?”1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

“Sure did. But the window wouldn’t close, and I had to turn it off. After it restarted,I opened the e-mail program, and it’s just like it was before—no response at all. The otherstuff is working OK, but really, really slowly. Even my Internet browser is sluggish.”

“OK, Bob. We’ve tried the usual stuff we can do over the phone. Let me open a case, andI’ll dispatch a tech over as soon as possible.”

Amy looked up at the LED tally board on the wall at the end of the room. She saw thatthere were only two technicians dispatched to deskside support at the moment, and since itwas the day shift, there were four available.

“Shouldn’t be long at all, Bob.”

She hung up and typed her notes into ISIS, the company’s Information Status and IssuesSystem. She assigned the newly generated case to the deskside dispatch queue, which wouldpage the roving deskside team with the details in just a few minutes.

A moment later, Amy looked up to see Charlie Moody, the senior manager of the serveradministration team, walking briskly down the hall. He was being trailed by three of hissenior technicians as he made a beeline from his office to the door of the server roomwhere the company servers were kept in a controlled environment. They all lookedworried.

Just then, Amy’s screen beeped to alert her of a new e-mail. She glanced down. It beepedagain—and again. It started beeping constantly. She clicked on the envelope icon and, aftera short delay, the mail window opened. She had 47 new e-mails in her inbox. She openedone from Davey Martinez, an acquaintance from the Accounting Department. The subjectline said, “Wait till you see this.” The message body read, “Look what this has to say aboutour managers’ salaries…” Davey often sent her interesting and funny e-mails, and she failedto notice that the file attachment icon was unusual before she clicked it.

Her PC showed the hourglass pointer icon for a second and then the normal pointer reap-peared. Nothing happened. She clicked the next e-mail message in the queue. Nothing hap-pened. Her phone rang again. She clicked the ISIS icon on her computer desktop to activatethe call management software and activated her headset. “Hello, Tech Support, how can Ihelp you?” She couldn’t greet the caller by name because ISIS had not responded.

“Hello, this is Erin Williams in receiving.”

Amy glanced down at her screen. Still no ISIS. She glanced up to the tally board and wassurprised to see the inbound-call-counter tallying up waiting calls like digits on a stopwatch.Amy had never seen so many calls come in at one time.

“Hi, Erin,” Amy said. “What’s up?”

“Nothing,” Erin answered. “That’s the problem.” The rest of the call was a replay ofBob’s, except that Amy had to jot notes down on a legal pad. She couldn’t dispatch thedeskside support team either. She looked at the tally board. It had gone dark. No numbersat all.

Then she saw Charlie running down the hall from the server room. He didn’t look worriedanymore. He looked frantic.

Amy picked up the phone again. She wanted to check with her supervisor about what to donow. There was no dial tone.

2 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1L E A R N I N G O B J E C T I V E S :

Upon completion of this material, you should be able to:• Define information security• Recount the history of computer security, and explain how it evolved into information security• Define key terms and critical concepts of information security• Enumerate the phases of the security systems development life cycle• Describe the information security roles of professionals within an organization

IntroductionJames Anderson, executive consultant at Emagined Security, Inc., believes information securityin an enterprise is a “well-informed sense of assurance that the information risks and controlsare in balance.” He is not alone in his perspective. Many information security practitionersrecognize that aligning information security needs with business objectives must be the toppriority.

This chapter’s opening scenario illustrates that the information risks and controls are not inbalance at Sequential Label and Supply. Though Amy works in a technical support role andher job is to solve technical problems, it does not occur to her that a malicious software pro-gram, like a worm or virus, might be the agent of the company’s current ills. Managementalso shows signs of confusion and seems to have no idea how to contain this kind of incident.If you were in Amy’s place and were faced with a similar situation, what would you do? Howwould you react? Would it occur to you that something far more insidious than a technicalmalfunction was happening at your company? As you explore the chapters of this book andlearn more about information security, you will become better able to answer these questions.But before you can begin studying the details of the discipline of information security, youmust first know the history and evolution of the field.

The History of Information SecurityThe history of information security begins with computer security. The need for computersecurity—that is, the need to secure physical locations, hardware, and software from threats—arose during World War II when the first mainframes, developed to aid computations for com-munication code breaking (see Figure 1-1), were put to use. Multiple levels of security wereimplemented to protect these mainframes and maintain the integrity of their data. Access to sen-sitive military locations, for example, was controlled by means of badges, keys, and the facialrecognition of authorized personnel by security guards. The growing need to maintain nationalsecurity eventually led to more complex and more technologically sophisticated computer secu-rity safeguards.

During these early years, information security was a straightforward process composed pre-dominantly of physical security and simple document classification schemes. The primarythreats to security were physical theft of equipment, espionage against the products of the sys-tems, and sabotage. One of the first documented security problems that fell outside these cate-gories occurred in the early 1960s, when a systems administrator was working on an MOTD

Introduction to Information Security 3

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

(message of the day) file, and another administrator was editing the password file. A softwareglitch mixed the two files, and the entire password file was printed on every output file.2

The 1960sDuring the Cold War, many more mainframes were brought online to accomplish more com-plex and sophisticated tasks. It became necessary to enable these mainframes to communicatevia a less cumbersome process than mailing magnetic tapes between computer centers. Inresponse to this need, the Department of Defense’s Advanced Research Project Agency(ARPA) began examining the feasibility of a redundant, networked communications systemto support the military’s exchange of information. Larry Roberts, known as the founder ofthe Internet, developed the project—which was called ARPANET—from its inception.ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPA-NET Program Plan).

The 1970s and 80sDuring the next decade, ARPANET became popular and more widely used, and the potentialfor its misuse grew. In December of 1973, Robert M. “Bob” Metcalfe, who is credited

4 Chapter 1

Unterseeboot

Earlier versions of the Germancode machine Enigma werefirst broken by the Poles in the1930s. The British and Americans managed to break later, more complex versions during World War II. The increasingly complex versions of the Enigma, especially the submarine or version of the Enigma, caused considerable anguish to Allied forces before finally being cracked. The information gained from decrypted transmissions was used to anticipate the actions ofGerman armed forces. ”Someask why, if we were reading the Enigma, we did not winthe war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn’t read it.”1

Figure 1-1 The Enigma

Source: Courtesy of National Security Agency

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1

with the development of Ethernet, one of the most popular networking protocols, identifiedfundamental problems with ARPANET security. Individual remote sites did not have suffi-cient controls and safeguards to protect data from unauthorized remote users. Other pro-blems abounded: vulnerability of password structure and formats; lack of safety proceduresfor dial-up connections; and nonexistent user identification and authorization to the system.Phone numbers were widely distributed and openly publicized on the walls of phone booths,giving hackers easy access to ARPANET. Because of the range and frequency of computersecurity violations and the explosion in the numbers of hosts and users on ARPANET, net-work security was referred to as network insecurity.4 In 1978, a famous study entitled “Pro-tection Analysis: Final Report” was published. It focused on a project undertaken by ARPAto discover the vulnerabilities of operating system security. For a timeline that includes thisand other seminal studies of computer security, see Table 1-1.

The movement toward security that went beyond protecting physical locations began with asingle paper sponsored by the Department of Defense, the Rand Report R-609, whichattempted to define the multiple controls and mechanisms necessary for the protection of amultilevel computer system. The document was classified for almost ten years, and is nowconsidered to be the paper that started the study of computer security.

The security—or lack thereof—of the systems sharing resources inside the Department ofDefense was brought to the attention of researchers in the spring and summer of 1967. Atthat time, systems were being acquired at a rapid rate and securing them was a pressing con-cern for both the military and defense contractors.


Figure 1-2 Development of the ARPANET Program Plan3

Source: Courtesy of Dr. Lawrence Roberts

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

In June of 1967, the Advanced Research Projects Agency formed a task force to study theprocess of securing classified information systems. The Task Force was assembled in Octoberof 1967 and met regularly to formulate recommendations, which ultimately became the con-tents of the Rand Report R-609.9

The Rand Report R-609 was the first widely recognized published document to identify therole of management and policy issues in computer security. It noted that the wide utilizationof networking components in information systems in the military introduced security risksthat could not be mitigated by the routine practices then used to secure these systems.10 Thispaper signaled a pivotal moment in computer security history—when the scope of computersecurity expanded significantly from the safety of physical locations and hardware to includethe following:

● Securing the data● Limiting random and unauthorized access to that data● Involving personnel from multiple levels of the organization in matters pertaining to

information security

MULTICS Much of the early research on computer security centered on a system calledMultiplexed Information and Computing Service (MULTICS). Although it is now obsolete,MULTICS is noteworthy because it was the first operating system to integrate security into

6 Chapter 1

Date Documents

1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.

1973 Schell, Downey, and Popek examine the need for additional security in military systems in“Preliminary Notes on the Design of Secure Military Computer Systems.”5

1975 The Federal Information Processing Standards (FIPS) examines Digital Encryption Standard (DES) inthe Federal Register.

1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” discussing theProtection Analysis project created by ARPA to better understand the vulnerabilities of operatingsystem security and examine the possibility of automated vulnerability detection techniques inexisting system software.6

1979 Morris and Thompson author “Password Security: A Case History,” published in the Communicationsof the Association for Computing Machinery (ACM). The paper examines the history of a design for apassword security scheme on a remotely accessed, time-sharing system.

1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” discussingsecure user IDs and secure group IDs, and the problems inherent in the systems.

1984 Grampp and Morris write “UNIX Operating System Security.” In this report, the authors examine four“important handles to computer security”: physical control of premises and computer facilities,management commitment to security objectives, education of employees, and administrativeprocedures aimed at increased security.7

1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premisewas: “No technique can be secure against wiretapping or its equivalent on the computer. Thereforeno technique can be secure against the systems administrator or other privileged users … the naiveuser has no chance.”8

Table 1-1 Key Dates for Seminal Works in Early Computer Security

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Instituteof Technology (MIT).

In mid-1969, not long after the restructuring of the MULTICS project, several of its develo-pers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlro) created a newoperating system called UNIX. While the MULTICS system implemented multiple securitylevels and passwords, the UNIX system did not. Its primary function, text processing, didnot require the same level of security as that of its predecessor. In fact, it was not until theearly 1970s that even the simplest component of security, the password function, became acomponent of UNIX.

In the late 1970s, the microprocessor brought the personal computer and a new age of com-puting. The PC became the workhorse of modern computing, thereby moving it out of thedata center. This decentralization of data processing systems in the 1980s gave rise to net-working—that is, the interconnecting of personal computers and mainframe computers,which enabled the entire computing community to make all their resources work together.

The 1990sAt the close of the twentieth century, networks of computers became more common, as didthe need to connect these networks to each other. This gave rise to the Internet, the firstglobal network of networks. The Internet was made available to the general public in the1990s, having previously been the domain of government, academia, and dedicated industryprofessionals. The Internet brought connectivity to virtually all computers that could reach aphone line or an Internet-connected local area network (LAN). After the Internet was com-mercialized, the technology became pervasive, reaching almost every corner of the globewith an expanding array of uses.

Since its inception as a tool for sharing Defense Department information, the Internet hasbecome an interconnection of millions of networks. At first, these connections were basedon de facto standards, because industry standards for interconnection of networks did notexist at that time. These de facto standards did little to ensure the security of informationthough as these precursor technologies were widely adopted and became industry standards,some degree of security was introduced. However, early Internet deployment treated securityas a low priority. In fact, many of the problems that plague e-mail on the Internet today arethe result of this early lack of security. At that time, when all Internet and e-mail users were(presumably trustworthy) computer scientists, mail server authentication and e-mail encryp-tion did not seem necessary. Early computing approaches relied on security that was builtinto the physical environment of the data center that housed the computers. As networkedcomputers became the dominant style of computing, the ability to physically secure a net-worked computer was lost, and the stored information became more exposed to securitythreats.

2000 to PresentToday, the Internet brings millions of unsecured computer networks into continuous commu-nication with each other. The security of each computer’s stored information is now contin-gent on the level of security of every other computer to which it is connected. Recent yearshave seen a growing awareness of the need to improve information security, as well as a real-ization that information security is important to national defense. The growing threat of


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

cyber attacks have made governments and companies more aware of the need to defend thecomputer-controlled control systems of utilities and other critical infrastructure. There is alsogrowing concern about nation-states engaging in information warfare, and the possibilitythat business and personal information systems could become casualties if they areundefended.

What Is Security?In general, security is “the quality or state of being secure—to be free from danger.”11 Inother words, protection against adversaries—from those who would do harm, intentionallyor otherwise—is the objective. National security, for example, is a multilayered system thatprotects the sovereignty of a state, its assets, its resources, and its people. Achieving the appro-priate level of security for an organization also requires a multifaceted system.

A successful organization should have the following multiple layers of security in place to pro-tect its operations:

● Physical security, to protect physical items, objects, or areas from unauthorized accessand misuse

● Personnel security, to protect the individual or group of individuals who are autho-rized to access the organization and its operations

● Operations security, to protect the details of a particular operation or series ofactivities

● Communications security, to protect communications media, technology, and content● Network security, to protect networking components, connections, and contents● Information security, to protect the confidentiality, integrity and availability of infor-

mation assets, whether in storage, processing, or transmission. It is achieved via theapplication of policy, education, training and awareness, and technology.

The Committee on National Security Systems (CNSS) defines information security as theprotection of information and its critical elements, including the systems and hardware thatuse, store, and transmit that information.12 Figure 1-3 shows that information securityincludes the broad areas of information security management, computer and data security,and network security. The CNSS model of information security evolved from a concept devel-oped by the computer security industry called the C.I.A. triangle. The C.I.A. triangle has beenthe industry standard for computer security since the development of the mainframe. It isbased on the three characteristics of information that give it value to organizations: confidenti-ality, integrity, and availability. The security of these three characteristics of information is asimportant today as it has always been, but the C.I.A. triangle model no longer adequatelyaddresses the constantly changing environment. The threats to the confidentiality, integrity,and availability of information have evolved into a vast collection of events, including acciden-tal or intentional damage, destruction, theft, unintended or unauthorized modification, orother misuse from human or nonhuman threats. This new environment of many constantlyevolving threats has prompted the development of a more robust model that addressesthe complexities of the current information security environment. The expanded model con-sists of a list of critical characteristics of information, which are described in the next

8 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1

section. C.I.A. triangle terminology is used in this chapter because of the breadth of materialthat is based on it.

Key Information Security ConceptsThis book uses a number of terms and concepts that are essential to any discussion of infor-mation security. Some of these terms are illustrated in Figure 1-4; all are covered in greaterdetail in subsequent chapters.

● Access: A subject or object’s ability to use, manipulate, modify, or affect another sub-ject or object. Authorized users have legal access to a system, whereas hackers haveillegal access to a system. Access controls regulate this ability.

● Asset: The organizational resource that is being protected. An asset can be logical,such as a Web site, information, or data; or an asset can be physical, such as a person,computer system, or other tangible object. Assets, and particularly information assets,are the focus of security efforts; they are what those efforts are attempting to protect.

● Attack: An intentional or unintentional act that can cause damage to or otherwise com-promise information and/or the systems that support it. Attacks can be active or passive,intentional or unintentional, and direct or indirect. Someone casually reading sensitiveinformation not intended for his or her use is a passive attack. A hacker attempting tobreak into an information system is an intentional attack. A lightning strike that causes afire in a building is an unintentional attack. A direct attack is a hacker using a personalcomputer to break into a system. An indirect attack is a hacker compromising a systemand using it to attack other systems, for example, as part of a botnet (slang for robot net-work). This group of compromised computers, running software of the attacker’s choos-ing, can operate autonomously or under the attacker’s direct control to attack systems andsteal user information or conduct distributed denial-of-service attacks. Direct attacks orig-inate from the threat itself. Indirect attacks originate from a compromised system orresource that is malfunctioning or working under the control of a threat.


Informationsecurity Network

security

Policy

Computer & data security

Management ofinformation security

Figure 1-3 Components of Information Security

Source: Course Technology/Cengage Learning

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

● Control, safeguard, or countermeasure: Security mechanisms, policies, or proceduresthat can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwiseimprove the security within an organization. The various levels and types of controlsare discussed more fully in the following chapters.

● Exploit: A technique used to compromise a system. This term can be a verb or a noun.Threat agents may attempt to exploit a system or other information asset by using itillegally for their personal gain. Or, an exploit can be a documented process to takeadvantage of a vulnerability or exposure, usually in software, that is either inherent inthe software or is created by the attacker. Exploits make use of existing software toolsor custom-made software components.

● Exposure: A condition or state of being exposed. In information security, exposureexists when a vulnerability known to an attacker is present.

● Loss: A single instance of an information asset suffering damage or unintended orunauthorized modification or disclosure. When an organization’s information is stolen,it has suffered a loss.

● Protection profile or security posture: The entire set of controls and safeguards,including policy, education, training and awareness, and technology, that the

10 Chapter 1

Attack: Ima Hacker downloads an exploit from MadHackz

web site and then accesses buybay’s Web site. Ima then applies

the script which runs and compromises buybay's security controls

and steals customer data. These actions cause buybay to

experience a loss.

Threat: Theft

Threat agent: Ima Hacker

Exploit: Script from MadHackz

Web site

Asset: buybay’s

customer database

Vulnerability: Buffer

overflow in online

database Web interface

Figure 1-4 Information Security Terms


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1organization implements (or fails to implement) to protect the asset. The terms aresometimes used interchangeably with the term security program, although the securityprogram often comprises managerial aspects of security, including planning, personnel,and subordinate programs.

● Risk: The probability that something unwanted will happen. Organizations must min-imize risk to match their risk appetite—the quantity and nature of risk the organiza-tion is willing to accept.

● Subjects and objects: A computer can be either the subject of an attack—an agententity used to conduct the attack—or the object of an attack—the target entity, asshown in Figure 1-5. A computer can be both the subject and object of an attack,when, for example, it is compromised by an attack (object), and is then used to attackother systems (subject).

● Threat: A category of objects, persons, or other entities that presents a danger to anasset. Threats are always present and can be purposeful or undirected. For example,hackers purposefully threaten unprotected information systems, while severe stormsincidentally threaten buildings and their contents.

● Threat agent: The specific instance or a component of a threat. For example, all hack-ers in the world present a collective threat, while Kevin Mitnick, who was convictedfor hacking into phone systems, is a specific threat agent. Likewise, a lightning strike,hailstorm, or tornado is a threat agent that is part of the threat of severe storms.

● Vulnerability: A weaknesses or fault in a system or protection mechanism that opens itto attack or damage. Some examples of vulnerabilities are a flaw in a software pack-age, an unprotected system port, and an unlocked door. Some well-known vulnerabil-ities have been examined, documented, and published; others remain latent (orundiscovered).

Critical Characteristics of InformationThe value of information comes from the characteristics it possesses. When a characteristic ofinformation changes, the value of that information either increases, or, more commonly,decreases. Some characteristics affect information’s value to users more than others do. Thiscan depend on circumstances; for example, timeliness of information can be a critical factor,because information loses much or all of its value when it is delivered too late. Though infor-mation security professionals and end users share an understanding of the characteristics of


Hacker using acomputer as the

subject of an attack

Hacker request

Stolen information

Remote system that isthe object of an attack

Internet

Figure 1-5 Computer as the Subject and Object of an Attack


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

information, tensions can arise when the need to secure the information from threats conflictswith the end users’ need for unhindered access to the information. For instance, end usersmay perceive a tenth-of-a-second delay in the computation of data to be an unnecessaryannoyance. Information security professionals, however, may perceive that tenth of a secondas a minor delay that enables an important task, like data encryption. Each critical character-istic of information—that is, the expanded C.I.A. triangle—is defined in the sections below.

Availability Availability enables authorized users—persons or computer systems—toaccess information without interference or obstruction and to receive it in the required for-mat. Consider, for example, research libraries that require identification before entrance.Librarians protect the contents of the library so that they are available only to authorizedpatrons. The librarian must accept a patron’s identification before that patron has freeaccess to the book stacks. Once authorized patrons have access to the contents of the stacks,they expect to find the information they need available in a useable format and familiar lan-guage, which in this case typically means bound in a book and written in English.

Accuracy Information has accuracy when it is free from mistakes or errors and it has thevalue that the end user expects. If information has been intentionally or unintentionallymodified, it is no longer accurate. Consider, for example, a checking account. You assumethat the information contained in your checking account is an accurate representation ofyour finances. Incorrect information in your checking account can result from external orinternal errors. If a bank teller, for instance, mistakenly adds or subtracts too much fromyour account, the value of the information is changed. Or, you may accidentally enter anincorrect amount into your account register. Either way, an inaccurate bank balance couldcause you to make mistakes, such as bouncing a check.

Authenticity Authenticity of information is the quality or state of being genuine or orig-inal, rather than a reproduction or fabrication. Information is authentic when it is in thesame state in which it was created, placed, stored, or transferred. Consider for a momentsome common assumptions about e-mail. When you receive e-mail, you assume that a spe-cific individual or group created and transmitted the e-mail—you assume you know the ori-gin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mailmessage with a modified field, is a problem for many people today, because often the modi-fied field is the address of the originator. Spoofing the sender’s address can fool e-mail reci-pients into thinking that messages are legitimate traffic, thus inducing them to open e-mailthey otherwise might not have. Spoofing can also alter data being transmitted across a net-work, as in the case of user data protocol (UDP) packet spoofing, which can enable theattacker to get access to data stored on computing systems.

Another variation on spoofing is phishing, when an attacker attempts to obtain personal orfinancial information using fraudulent means, most often by posing as another individual ororganization. Pretending to be someone you are not is sometimes called pretexting when it isundertaken by law enforcement agents or private investigators. When used in a phishingattack, e-mail spoofing lures victims to a Web server that does not represent the organizationit purports to, in an attempt to steal their private data such as account numbers and pass-words. The most common variants include posing as a bank or brokerage company,e-commerce organization, or Internet service provider. Even when authorized, pretextingdoes not always lead to a satisfactory outcome. In 2006, the CEO of Hewlett-Packard

12 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1Corporation, Patricia Dunn, authorized contract investigators to use pretexting to“smokeout” a corporate director suspected of leaking confidential information. The resultingfirestorm of negative publicity led to Ms. Dunn’s eventual departure from the company.13

Confidentiality Information has confidentiality when it is protected from disclosure orexposure to unauthorized individuals or systems. Confidentiality ensures that only thosewith the rights and privileges to access information are able to do so. When unauthorizedindividuals or systems can view information, confidentiality is breached. To protect the con-fidentiality of information, you can use a number of measures, including the following:

● Information classification● Secure document storage● Application of general security policies● Education of information custodians and end users

Confidentiality, like most of the characteristics of information, is interdependent with othercharacteristics and is most closely related to the characteristic known as privacy. The rela-tionship between these two characteristics is covered in more detail in Chapter 3, “Legaland Ethical Issues in Security.”

The value of confidentiality of information is especially high when it is personal informationabout employees, customers, or patients. Individuals who transact with an organizationexpect that their personal information will remain confidential, whether the organization isa federal agency, such as the Internal Revenue Service, or a business. Problems arise whencompanies disclose confidential information. Sometimes this disclosure is intentional, butthere are times when disclosure of confidential information happens by mistake—for exam-ple, when confidential information is mistakenly e-mailed to someone outside the organiza-tion rather than to someone inside the organization. Several cases of privacy violation areoutlined in Offline: Unintentional Disclosures.

Other examples of confidentiality breaches are an employee throwing away a documentcontaining critical information without shredding it, or a hacker who successfully breaksinto an internal database of a Web-based organization and steals sensitive informationabout the clients, such as names, addresses, and credit card numbers.

As a consumer, you give up pieces of confidential information in exchange for convenienceor value almost daily. By using a “members only” card at a grocery store, you disclosesome of your spending habits. When you fill out an online survey, you exchange pieces ofyour personal history for access to online privileges. The bits and pieces of your informationthat you disclose are copied, sold, replicated, distributed, and eventually coalesced into pro-files and even complete dossiers of yourself and your life. A similar technique is used in acriminal enterprise called salami theft. A deli worker knows he or she cannot steal an entiresalami, but a few slices here or there can be taken home without notice. Eventually the deliworker has stolen a whole salami. In information security, salami theft occurs when anemployee steals a few pieces of information at a time, knowing that taking more would benoticed—but eventually the employee gets something complete or useable.

Integrity Information has integrity when it is whole, complete, and uncorrupted. Theintegrity of information is threatened when the information is exposed to corruption,


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

14 Chapter 1

damage, destruction, or other disruption of its authentic state. Corruption can occur whileinformation is being stored or transmitted. Many computer viruses and worms are designedwith the explicit purpose of corrupting data. For this reason, a key method for detecting avirus or worm is to look for changes in file integrity as shown by the size of the file. Anotherkey method of assuring information integrity is file hashing, in which a file is read by a spe-cial algorithm that uses the value of the bits in the file to compute a single large numbercalled a hash value. The hash value for any combination of bits is unique. If a computer systemperforms the same hashing algorithm on a file and obtains a different number than the recordedhash value for that file, the file has been compromised and the integrity of the information is lost.Information integrity is the cornerstone of information systems, because information is of novalue or use if users cannot verify its integrity.

In February 2005, the data aggregation and brokerage firm ChoicePoint revealedthat it had been duped into releasing personal information about 145,000 people toidentity thieves during 2004. The perpetrators used stolen identities to create obsten-sibly legitimate business entities, which then subscribed to ChoicePoint to acquire thedata fraudulently. The company reported that the criminals opened many accountsand recorded personal information on individuals, including names, addresses, andidentification numbers. They did so without using any network or computer-basedattacks; it was simple fraud.14 While the the amount of damage has yet to be com-piled, the fraud is feared to have allowed the perpetrators to arrange many hun-dreds of instances of identity theft.

The giant pharmaceutical organization Eli Lilly and Co. released the e-mailaddresses of 600 patients to one another in 2001. The American Civil LibertiesUnion (ACLU) denounced this breach of privacy, and information technology indus-try analysts noted that it was likely to influence the public debate on privacylegislation.

The company claimed that the mishap was caused by a programming error thatoccurred when patients who used a specific drug produced by the company signed up foran e-mail service to access support materials provided by the company. About 600 patientaddresses were exposed in the mass e-mail.15

In another incident, the intellectual property of Jerome Stevens Pharmaceuticals, asmall prescription drug manufacturer from New York, was compromised when theFDA released documents the company had filed with the agency. It remains unclearwhether this was a deliberate act by the FDA or a simple error; but either way, thecompany’s secrets were posted to a public Web site for several months before beingremoved.16

OfflineUnintentional Disclosures

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1File corruption is not necessarily the result of external forces, such as hackers. Noise in thetransmission media, for instance, can also cause data to lose its integrity. Transmittingdata on a circuit with a low voltage level can alter and corrupt the data. Redundancy bitsand check bits can compensate for internal and external threats to the integrity of informa-tion. During each transmission, algorithms, hash values, and the error-correcting codesensure the integrity of the information. Data whose integrity has been compromised isretransmitted.

Utility The utility of information is the quality or state of having value for some purposeor end. Information has value when it can serve a purpose. If information is available, but isnot in a format meaningful to the end user, it is not useful. For example, to a private citizenU.S. Census data can quickly become overwhelming and difficult to interpret; however, for apolitician, U.S. Census data reveals information about the residents in a district, such astheir race, gender, and age. This information can help form a politician’s next campaignstrategy.

Possession The possession of information is the quality or state of ownership or control.Information is said to be in one’s possession if one obtains it, independent of format orother characteristics. While a breach of confidentiality always results in a breach of posses-sion, a breach of possession does not always result in a breach of confidentiality. For exam-ple, assume a company stores its critical customer data using an encrypted file system. Anemployee who has quit decides to take a copy of the tape backups to sell the customerrecords to the competition. The removal of the tapes from their secure environment is abreach of possession. But, because the data is encrypted, neither the employee nor anyoneelse can read it without the proper decryption methods; therefore, there is no breach of con-fidentiality. Today, people caught selling company secrets face increasingly stiff fines withthe likelihood of jail time. Also, companies are growing more and more reluctant to hireindividuals who have demonstrated dishonesty in their past.

CNSS Security ModelThe definition of information security presented in this text is based in part on the CNSS doc-ument called the National Training Standard for Information Systems Security ProfessionalsNSTISSI No. 4011. (See www.cnss.gov/Assets/pdf/nstissi_4011.pdf. Since this document waswritten, the NSTISSC was renamed the Committee on National Security Systems (CNSS)—see www.cnss.gov. The library of documents is being renamed as the documents arerewritten.) This document presents a comprehensive information security model and hasbecome a widely accepted evaluation standard for the security of information systems. Themodel, created by John McCumber in 1991, provides a graphical representation of the archi-tectural approach widely used in computer and information security; it is now known as theMcCumber Cube.17 The McCumber Cube in Figure 1-6, shows three dimensions. If extrapo-lated, the three dimensions of each axis become a 3 × 3 × 3 cube with 27 cells representingareas that must be addressed to secure today’s information systems. To ensure system security,each of the 27 areas must be properly addressed during the security process. For example, theintersection between technology, integrity, and storage requires a control or safeguard thataddresses the need to use technology to protect the integrity of information while in storage.One such control might be a system for detecting host intrusion that protects the integrity of


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

information by alerting the security administrators to the potential modification of a criticalfile. What is commonly left out of such a model is the need for guidelines and policies thatprovide direction for the practices and implementations of technologies. The need for policyis discussed in subsequent chapters of this book.

Components of an Information SystemAs shown in Figure 1-7, an information system (IS) is much more than computer hardware; itis the entire set of software, hardware, data, people, procedures, and networks that make pos-sible the use of information resources in the organization. These six critical components enableinformation to be input, processed, output, and stored. Each of these IS components has itsown strengths and weaknesses, as well as its own characteristics and uses. Each componentof the information system also has its own security requirements.

SoftwareThe software component of the IS comprises applications, operating systems, and assortedcommand utilities. Software is perhaps the most difficult IS component to secure. The exploi-tation of errors in software programming accounts for a substantial portion of the attacks oninformation. The information technology industry is rife with reports warning of holes, bugs,weaknesses, or other fundamental problems in software. In fact, many facets of daily life areaffected by buggy software, from smartphones that crash to flawed automotive control com-puters that lead to recalls.

Software carries the lifeblood of information through an organization. Unfortunately, soft-ware programs are often created under the constraints of project management, which limittime, cost, and manpower. Information security is all too often implemented as an after-thought, rather than developed as an integral component from the beginning. In this way,software programs become an easy target of accidental or intentional attacks.

16 Chapter 1

Policy

Educ

ation

Tech

nolog

y Confidentiality

Integrity

Availability

Policy Education Technology

Storage Processing Transmission

Confidentiality

Integrity

Availability

Storage Processing Transmission

Figure 1-6 The McCumber Cube18


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1

HardwareHardware is the physical technology that houses and executes the software, stores and trans-ports the data, and provides interfaces for the entry and removal of information from thesystem. Physical security policies deal with hardware as a physical asset and with the protectionof physical assets from harm or theft. Applying the traditional tools of physical security, such aslocks and keys, restricts access to and interaction with the hardware components of an informa-tion system. Securing the physical location of computers and the computers themselves is impor-tant because a breach of physical security can result in a loss of information. Unfortunately,most information systems are built on hardware platforms that cannot guarantee any level ofinformation security if unrestricted access to the hardware is possible.

Before September 11, 2001, laptop thefts in airports were common. A two-person teamworked to steal a computer as its owner passed it through the conveyor scanning devices.The first perpetrator entered the security area ahead of an unsuspecting target and quicklywent through. Then, the second perpetrator waited behind the target until the target placedhis/her computer on the baggage scanner. As the computer was whisked through, the secondagent slipped ahead of the victim and entered the metal detector with a substantial collectionof keys, coins, and the like, thereby slowing the detection process and allowing the first per-petrator to grab the computer and disappear in a crowded walkway.

While the security response to September 11, 2001 did tighten the security process at air-ports, hardware can still be stolen in airports and other public places. Although laptops andnotebook computers are worth a few thousand dollars, the information contained in themcan be worth a great deal more to organizations and individuals.

DataData stored, processed, and transmitted by a computer system must be protected. Data isoften the most valuable asset possessed by an organization and it is the main target ofintentional attacks. Systems developed in recent years are likely to make use of database


People

Procedures

Hardware

Software

Data

Networks

Figure 1-7 Components of an Information System


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

management systems. When done properly, this should improve the security of the data andthe application. Unfortunately, many system development projects do not make full use ofthe database management system’s security capabilities, and in some cases the database isimplemented in ways that are less secure than traditional file systems.

PeopleThough often overlooked in computer security considerations, people have always been athreat to information security. Legend has it that around 200 B.C. a great army threatenedthe security and stability of the Chinese empire. So ferocious were the invaders that theChinese emperor commanded the construction of a great wall that would defend againstthe Hun invaders. Around 1275 A.D., Kublai Khan finally achieved what the Huns had beentrying for thousands of years. Initially, the Khan’s army tried to climb over, dig under, andbreak through the wall. In the end, the Khan simply bribed the gatekeeper—and the rest ishistory. Whether this event actually occurred or not, the moral of the story is that peoplecan be the weakest link in an organization’s information security program. And unless policy,education and training, awareness, and technology are properly employed to prevent peoplefrom accidentally or intentionally damaging or losing information, they will remain theweakest link. Social engineering can prey on the tendency to cut corners and the common-place nature of human error. It can be used to manipulate the actions of people to obtainaccess information about a system. This topic is discussed in more detail in Chapter 2, “TheNeed for Security.”

ProceduresAnother frequently overlooked component of an IS is procedures. Procedures are writteninstructions for accomplishing a specific task. When an unauthorized user obtains an organiza-tion’s procedures, this poses a threat to the integrity of the information. For example, a consul-tant to a bank learned how to wire funds by using the computer center’s procedures, whichwere readily available. By taking advantage of a security weakness (lack of authentication),this bank consultant ordered millions of dollars to be transferred by wire to his own account.Lax security procedures caused the loss of over ten million dollars before the situation was cor-rected. Most organizations distribute procedures to their legitimate employees so they canaccess the information system, but many of these companies often fail to provide proper educa-tion on the protection of the procedures. Educating employees about safeguarding procedures isas important as physically securing the information system. After all, procedures are informa-tion in their own right. Therefore, knowledge of procedures, as with all critical information,should be disseminated among members of the organization only on a need-to-know basis.

NetworksThe IS component that created much of the need for increased computer and informationsecurity is networking. When information systems are connected to each other to form localarea networks (LANs), and these LANs are connected to other networks such as the Internet,new security challenges rapidly emerge. The physical technology that enables network func-tions is becoming more and more accessible to organizations of every size. Applying the tra-ditional tools of physical security, such as locks and keys, to restrict access to and interactionwith the hardware components of an information system are still important; but when com-puter systems are networked, this approach is no longer enough. Steps to provide network

18 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1security are essential, as is the implementation of alarm and intrusion systems to make systemowners aware of ongoing compromises.

Balancing Information Security and AccessEven with the best planning and implementation, it is impossible to obtain perfect informationsecurity. Recall James Anderson’s statement from the beginning of this chapter, which empha-sizes the need to balance security and access. Information security cannot be absolute: it is aprocess, not a goal. It is possible to make a system available to anyone, anywhere, anytime,through any means. However, such unrestricted access poses a danger to the security of theinformation. On the other hand, a completely secure information system would not allowanyone access. For instance, when challenged to achieve a TCSEC C-2 level security certifica-tion for its Windows operating system, Microsoft had to remove all networking componentsand operate the computer from only the console in a secured room.19

To achieve balance—that is, to operate an information system that satisfies the user and thesecurity professional—the security level must allow reasonable access, yet protect againstthreats. Figure 1-8 shows some of the competing voices that must be considered when balanc-ing information security and access.

Because of today’s security concerns and issues, an information system or data-processingdepartment can get too entrenched in the management and protection of systems. An imbal-ance can occur when the needs of the end user are undermined by too heavy a focuson protecting and administering the information systems. Both information security technolo-gists and end users must recognize that both groups share the same overall goals of theorganization—to ensure the data is available when, where, and how it is needed, with


SecurityAccess

User 1: Encryptinge-mail is a hassle.

User 2: Encryptinge-mail slows me down.

CISO: Encryption isneeded to protect secrets

of the organization.

Figure 1-8 Balancing Information Security and Access


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

minimal delays or obstacles. In an ideal world, this level of availability can be met even afterconcerns about loss, damage, interception, or destruction have been addressed.

Approaches to Information Security ImplementationThe implementation of information security in an organization must begin somewhere, andcannot happen overnight. Securing information assets is in fact an incremental process thatrequires coordination, time, and patience. Information security can begin as a grassroots effortin which systems administrators attempt to improve the security of their systems. This is oftenreferred to as a bottom-up approach. The key advantage of the bottom-up approach is thetechnical expertise of the individual administrators. Working with information systems on aday-to-day basis, these administrators possess in-depth knowledge that can greatly enhancethe development of an information security system. They know and understand the threats totheir systems and the mechanisms needed to protect them successfully. Unfortunately, thisapproach seldom works, as it lacks a number of critical features, such as participant supportand organizational staying power.

The top-down approach—in which the project is initiated by upper-level managers who issuepolicy, procedures and processes, dictate the goals and expected outcomes, and determineaccountability for each required action—has a higher probability of success. This approachhas strong upper-management support, a dedicated champion, usually dedicated funding, aclear planning and implementation process, and the means of influencing organizationalculture. The most successful kind of top-down approach also involves a formal developmentstrategy referred to as a systems development life cycle.

For any organization-wide effort to succeed, management must buy into and fully support it. Therole played in this effort by the champion cannot be overstated. Typically, this champion is anexecutive, such as a chief information officer (CIO) or the vice president of information technol-ogy (VP-IT), who moves the project forward, ensures that it is properly managed, and pushes foracceptance throughout the organization. Without this high-level support, manymid-level admin-istrators fail to make time for the project or dismiss it as a low priority. Also critical to the successof this type of project is the involvement and support of the end users. These individuals are mostdirectly affected by the process and outcome of the project and must be included in the informa-tion security process. Key end users should be assigned to a developmental team, known as thejoint application development team (JAD). To succeed, the JAD must have staying power. Itmust be able to survive employee turnover and should not be vulnerable to changes in the person-nel team that is developing the information security system. This means the processes and proce-dures must be documented and integrated into the organizational culture. They must be adoptedand promoted by the organization’s management.

The organizational hierarchy and the bottom-up and top-down approaches are illustrated inFigure 1-9.

The Systems Development Life CycleInformation security must be managed in a manner similar to any other major system imple-mented in an organization. One approach for implementing an information security system in

20 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1

an organization with little or no formal security in place is to use a variation of the systemsdevelopment life cycle (SDLC): the security systems development life cycle (SecSDLC). Tounderstand a security systems development life cycle, you must first understand the basics ofthe method upon which it is based.

Methodology and PhasesThe systems development life cycle (SDLC) is a methodology for the design and implementa-tion of an information system. A methodology is a formal approach to solving a problem bymeans of a structured sequence of procedures. Using a methodology ensures a rigorous pro-cess with a clearly defined goal and increases the probability of success. Once a methodologyhas been adopted, the key milestones are established and a team of individuals is selected andmade accountable for accomplishing the project goals.

The traditional SDLC consists of six general phases. If you have taken a system analysis anddesign course, you may have been exposed to a model consisting of a different number ofphases. SDLC models range from having three to twelve phases, all of which have beenmapped into the six presented here. The waterfall model pictured in Figure 1-10 illustratesthat each phase begins with the results and information gained from the previous phase.

At the end of each phase comes a structured review or reality check, during which the teamdetermines if the project should be continued, discontinued, outsourced, postponed, orreturned to an earlier phase depending on whether the project is proceeding as expected andon the need for additional expertise, organizational knowledge, or other resources.

Once the system is implemented, it is maintained (and modified) over the remainder of itsoperational life. Any information systems implementation may have multiple iterations asthe cycle is repeated over time. Only by means of constant examination and renewal can


CEO

CFO CIO COO

CISO VP-Systems VP-Networks

securitymgr

systemsmgr

networkmgr

securityadmin

systemsadmin

networkadmin

securitytech

systemstech

networktech

Top-down approach Bottom-up approach

Figure 1-9 Approaches to Information Security Implementation


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

any system, especially an information security program, perform up to expectations in theconstantly changing environment in which it is placed.

The following sections describe each phase of the traditional SDLC.20

InvestigationThe first phase, investigation, is the most important. What problem is the system being devel-oped to solve? The investigation phase begins with an examination of the event or plan thatinitiates the process. During the investigation phase, the objectives, constraints, and scope ofthe project are specified. A preliminary cost-benefit analysis evaluates the perceived benefitsand the appropriate levels of cost for those benefits. At the conclusion of this phase, and atevery phase following, a feasibility analysis assesses the economic, technical, and behavioralfeasibilities of the process and ensures that implementation is worth the organization’s timeand effort.

AnalysisThe analysis phase begins with the information gained during the investigation phase. Thisphase consists primarily of assessments of the organization, its current systems, and its capa-bility to support the proposed systems. Analysts begin by determining what the new system isexpected to do and how it will interact with existing systems. This phase ends with the docu-mentation of the findings and an update of the feasibility analysis.

Logical DesignIn the logical design phase, the information gained from the analysis phase is used to begincreating a systems solution for a business problem. In any systems solution, it is imperativethat the first and driving factor is the business need. Based on the business need, applicationsare selected to provide needed services, and then data support and structures capable of pro-viding the needed inputs are chosen. Finally, based on all of the above, specific technologiesto implement the physical solution are delineated. The logical design is, therefore, the blue-print for the desired solution. The logical design is implementation independent, meaning

22 Chapter 1

Maintenanceand Change

Repeat when system no longer viable

Investigation

Analysis

Logical Design

Physical Design

Implementation

Figure 1-10 SDLC Waterfall Methodology


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1that it contains no reference to specific technologies, vendors, or products. It addresses,instead, how the proposed system will solve the problem at hand. In this stage, analysts gen-erate a number of alternative solutions, each with corresponding strengths and weaknesses,and costs and benefits, allowing for a general comparison of available options. At the end ofthis phase, another feasibility analysis is performed.

Physical DesignDuring the physical design phase, specific technologies are selected to support the alterna-tives identified and evaluated in the logical design. The selected components are evaluatedbased on a make-or-buy decision (develop the components in-house or purchase themfrom a vendor). Final designs integrate various components and technologies. After yetanother feasibility analysis, the entire solution is presented to the organizational manage-ment for approval.

ImplementationIn the implementation phase, any needed software is created. Components are ordered,received, and tested. Afterward, users are trained and supporting documentation created.Once all components are tested individually, they are installed and tested as a system. Againa feasibility analysis is prepared, and the sponsors are then presented with the system for aperformance review and acceptance test.

Maintenance and ChangeThe maintenance and change phase is the longest and most expensive phase of the process.This phase consists of the tasks necessary to support and modify the system for the remain-der of its useful life cycle. Even though formal development may conclude during this phase,the life cycle of the project continues until it is determined that the process should beginagain from the investigation phase. At periodic points, the system is tested for compliance,and the feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, andpatches are managed. As the needs of the organization change, the systems that support theorganization must also change. It is imperative that those who manage the systems, as wellas those who support them, continually monitor the effectiveness of the systems in relationto the organization’s environment. When a current system can no longer support the evolvingmission of the organization, the project is terminated and a new project is implemented.

Securing the SDLCEach of the phases of the SDLC should include consideration of the security of the systembeing assembled as well as the information it uses. Whether the system is custom and builtfrom scratch, is purchased and then customized, or is commercial off-the-shelf software(COTS), the implementing organization is responsible for ensuring it is used securely. Thismeans that each implementation of a system is secure and does not risk compromising theconfidentiality, integrity, and availability of the organization’s information assets. The follow-ing section, adapted from NIST Special Publication 800-64, rev. 1, provides an overview ofthe security considerations for each phase of the SDLC.

Each of the example SDLC phases [discussed earlier] includes a minimum set ofsecurity steps needed to effectively incorporate security into a system during its


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

development. An organization will either use the general SDLC described [ear-lier] or will have developed a tailored SDLC that meets their specific needs. Ineither case, NIST recommends that organizations incorporate the associated ITsecurity steps of this general SDLC into their development process:

Investigation/Analysis Phases

● Security categorization—defines three levels (i.e., low, moderate, or high) ofpotential impact on organizations or individuals should there be a breach ofsecurity (a loss of confidentiality, integrity, or availability). Security categoriza-tion standards assist organizations in making the appropriate selection of secu-rity controls for their information systems.

● Preliminary risk assessment—results in an initial description of the basic securityneeds of the system. A preliminary risk assessment should define the threat envi-ronment in which the system will operate.

Logical/Physical Design Phases

● Risk assessment—analysis that identifies the protection requirements for the sys-tem through a formal risk assessment process. This analysis builds on the initialrisk assessment performed during the Initiation phase, but will be more in-depthand specific.

● Security functional requirements analysis—analysis of requirements that mayinclude the following components: (1) system security environment (i.e., enter-prise information security policy and enterprise security architecture) and (2)security functional requirements

● Security assurance requirements analysis—analysis of requirements that addressthe developmental activities required and assurance evidence needed to producethe desired level of confidence that the information security will work correctlyand effectively. The analysis, based on legal and functional security require-ments, will be used as the basis for determining how much and what kinds ofassurance are required.

● Cost considerations and reporting—determines how much of the developmentcost can be attributed to information security over the life cycle of the system.These costs include hardware, software, personnel, and training.

● Security planning—ensures that agreed upon security controls, planned or inplace, are fully documented. The security plan also provides a complete charac-terization or description of the information system as well as attachments orreferences to key documents supporting the agency’s information security pro-gram (e.g., configuration management plan, contingency plan, incident responseplan, security awareness and training plan, rules of behavior, risk assessment,security test and evaluation results, system interconnection agreements, securityauthorizations/ accreditations, and plan of action and milestones).

● Security control development—ensures that security controls described in therespective security plans are designed, developed, and implemented. For infor-mation systems currently in operation, the security plans for those systems maycall for the development of additional security controls to supplement the

24 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1controls already in place or the modification of selected controls that aredeemed to be less than effective.

● Developmental security test and evaluation—ensures that security controlsdeveloped for a new information system are working properly and are effective.Some types of security controls (primarily those controls of a non-technicalnature) cannot be tested and evaluated until the information system isdeployed—these controls are typically management and operational controls.

● Other planning components—ensures that all necessary components of thedevelopment process are considered when incorporating security into the lifecycle. These components include selection of the appropriate contract type, par-ticipation by all necessary functional groups within an organization, participa-tion by the certifier and accreditor, and development and execution of necessarycontracting plans and processes.

Implementation Phase

● Inspection and acceptance—ensures that the organization validates and verifiesthat the functionality described in the specification is included in the deliverables.

● System integration—ensures that the system is integrated at the operational sitewhere the information system is to be deployed for operation. Security controlsettings and switches are enabled in accordance with vendor instructions andavailable security implementation guidance.

● Security certification—ensures that the controls are effectively implementedthrough established verification techniques and procedures and gives organiza-tion officials confidence that the appropriate safeguards and countermeasures arein place to protect the organization’s information system. Security certificationalso uncovers and describes the known vulnerabilities in the information system.

● Security accreditation—provides the necessary security authorization of an infor-mation system to process, store, or transmit information that is required. Thisauthorization is granted by a senior organization official and is based on theverified effectiveness of security controls to some agreed upon level of assuranceand an identified residual risk to agency assets or operations.

Maintenance and Change Phase

● Configuration management and control—ensures adequate consideration ofthe potential security impacts due to specific changes to an information systemor its surrounding environment. Configuration management and configurationcontrol procedures are critical to establishing an initial baseline of hardware,software, and firmware components for the information system and subsequentlycontrolling and maintaining an accurate inventory of any changes to thesystem.

● Continuous monitoring—ensures that controls continue to be effective in theirapplication through periodic testing and evaluation. Security control monitoring(i.e., verifying the continued effectiveness of those controls over time) andreporting the security status of the information system to appropriate agencyofficials is an essential activity of a comprehensive information security program.


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

● Information preservation—ensures that information is retained, as necessary, toconform to current legal requirements and to accommodate future technologychanges that may render the retrieval method obsolete.

● Media sanitization—ensures that data is deleted, erased, and written over asnecessary.

● Hardware and software disposal—ensures that hardware and software is dis-posed of as directed by the information system security officer.

Adapted from Security Considerations in the Information System Development Life Cycle.21

It is imperative that information security be designed into a system from its inception, ratherthan added in during or after the implementation phase. Information systems that weredesigned with no security functionality, or with security functions added as an afterthought,often require constant patching, updating, and maintenance to prevent risk to the systemsand information. It is a well-known adage that “an ounce of prevention is worth a pound ofcure.” With this in mind, organizations are moving toward more security-focused develop-ment approaches, seeking to improve not only the functionality of the systems they have inplace, but consumer confidence in their products. In early 2002, Microsoft effectively sus-pended development work on many of its products while it put its OS developers, testers,and program managers through an intensive program focusing on secure software develop-ment. It also delayed release of its flagship server operating system to address critical securityissues. Many other organizations are following Microsoft’s recent lead in putting securityinto the development process.

The Security Systems Development Life CycleThe same phases used in the traditional SDLC can be adapted to support the implementationof an information security project. While the two processes may differ in intent and specificactivities, the overall methodology is the same. At its heart, implementing information securityinvolves identifying specific threats and creating specific controls to counter those threats. TheSecSDLC unifies this process and makes it a coherent program rather than a series of random,seemingly unconnected actions. (Other organizations use a risk management approach toimplement information security systems. This approach is discussed in subsequent chapters ofthis book.)

InvestigationThe investigation phase of the SecSDLC begins with a directive from upper management, dic-tating the process, outcomes, and goals of the project, as well as its budget and other con-straints. Frequently, this phase begins with an enterprise information security policy (EISP),which outlines the implementation of a security program within the organization. Teams ofresponsible managers, employees, and contractors are organized; problems are analyzed; andthe scope of the project, as well as specific goals and objectives and any additional con-straints not covered in the program policy, are defined. Finally, an organizational feasibilityanalysis is performed to determine whether the organization has the resources and commit-ment necessary to conduct a successful security analysis and design. The EISP is covered indepth in Chapter 5 of this book.

26 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1AnalysisIn the analysis phase, the documents from the investigation phase are studied. The develop-ment team conducts a preliminary analysis of existing security policies or programs, alongwith that of documented current threats and associated controls. This phase also includes ananalysis of relevant legal issues that could affect the design of the security solution. Increas-ingly, privacy laws have become a major consideration when making decisions about infor-mation systems that manage personal information. Recently, many states have implementedlegislation making certain computer-related activities illegal. A detailed understanding ofthese issues is vital. Risk management also begins in this stage. Risk management is the pro-cess of identifying, assessing, and evaluating the levels of risk facing the organization, specifi-cally the threats to the organization’s security and to the information stored and processed bythe organization. Risk management is described in detail in Chapter 4 of this book.

Logical DesignThe logical design phase creates and develops the blueprints for information security, andexamines and implements key policies that influence later decisions. Also at this stage, theteam plans the incident response actions to be taken in the event of partial or catastrophicloss. The planning answers the following questions:

● Continuity planning: How will business continue in the event of a loss?● Incident response: What steps are taken when an attack occurs?● Disaster recovery: What must be done to recover information and vital systems

immediately after a disastrous event?

Next, a feasibility analysis determines whether or not the project should be continued or beoutsourced.

Physical DesignThe physical design phase evaluates the information security technology needed to support theblueprint outlined in the logical design generates alternative solutions, and determines a finaldesign. The information security blueprint may be revisited to keep it in line with the changesneeded when the physical design is completed. Criteria for determining the definition of suc-cessful solutions are also prepared during this phase. Included at this time are the designs forphysical security measures to support the proposed technological solutions. At the end of thisphase, a feasibility study determines the readiness of the organization for the proposed project,and then the champion and sponsors are presented with the design. At this time, all partiesinvolved have a chance to approve the project before implementation begins.

ImplementationThe implementation phase in of SecSDLC is also similar to that of the traditional SDLC. Thesecurity solutions are acquired (made or bought), tested, implemented, and tested again. Per-sonnel issues are evaluated, and specific training and education programs conducted. Finally,the entire tested package is presented to upper management for final approval.

Maintenance and ChangeMaintenance and change is the last, though perhaps most important, phase, given the currentever-changing threat environment. Today’s information security systems need constant


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

28 Chapter 1

Phases

Steps common to both the systemsdevelopment life cycle and thesecurity systems development lifecycle

Steps unique to the securitysystems development life cycle

Phase 1: Investigation ● Outline project scope and goals● Estimate costs● Evaluate existing resources● Analyze feasibility

● Management defines projectprocesses and goals and documentsthese in the program securitypolicy

Phase 2: Analysis ● Assess current system against plandeveloped in Phase 1

● Develop preliminary systemrequirements

● Study integration of new systemwith existing system

● Document findings and updatefeasibility analysis

● Analyze existing security policiesand programs

● Analyze current threats andcontrols

● Examine legal issues● Perform risk analysis

Phase 3: Logical Design ● Assess current business needsagainst plan developed in Phase 2

● Select applications, data support,and structures

● Generate multiple solutions forconsideration

● Document findings and updatefeasibility analysis

● Develop security blueprint● Plan incident response actions● Plan business response to disaster● Determine feasibility of continuing

and/or outsourcing the project

Phase 4: Physical Design ● Select technologies to supportsolutions developed inPhase 3

● Select the best solution● Decide to make or buy

components● Document findings and update

feasibility analysis

● Select technologies needed tosupport security blueprint

● Develop definition of successfulsolution

● Design physical security measuresto support techno logicalsolutions

● Review and approve project

Phase 5: Implementation ● Develop or buy software● Order components● Document the system● Train users● Update feasibility analysis● Present system to users● Test system and review

performance

● Buy or develop security solutions● At end of phase, present tested

package to management forapproval

Phase 6: Maintenance andChange

● Support and modify system duringits useful life

● Test periodically for compliancewith business needs

● Upgrade and patch as necessary

● Constantly monitor, test, modify,update, and repair to meetchanging threats

Table 1-2 SDLC and SecSDLC Phase Summary

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1monitoring, testing, modification, updating, and repairing. Applications systems developedwithin the framework of the traditional SDLC are not designed to anticipate a softwareattack that requires some degree of application reconstruction. In information security, thebattle for stable, reliable systems is a defensive one. Often, repairing damage and restoringinformation is a constant effort against an unseen adversary. As new threats emerge and oldthreats evolve, the information security profile of an organization must constantly adapt toprevent threats from successfully penetrating sensitive data. This constant vigilance and secu-rity can be compared to that of a fortress where threats from outside as well as from withinmust be constantly monitored and checked with continuously new and more innovativetechnologies.

Table 1-2 summarizes the steps performed in both the systems development life cycle and thesecurity systems development life cycle. Since the security systems development life cycle isbased on the systems development life cycle, the steps in the cycles are similar, and thusthose common to both cycles are outlined in column 2. Column 3 shows the steps unique tothe security systems development life cycle that are performed in each phase.

Security Professionals and the OrganizationIt takes a wide range of professionals to support a diverse information security program. Asnoted earlier in this chapter, information security is best initiated from the top down. Seniormanagement is the key component and the vital force for a successful implementation of aninformation security program. But administrative support is also essential to developing andexecuting specific security policies and procedures, and technical expertise is of course essen-tial to implementing the details of the information security program. The following sectionsdescribe the typical information security responsibilities of various professional roles in anorganization.

Senior ManagementThe senior technology officer is typically the chief information officer (CIO), although othertitles such as vice president of information, VP of information technology, and VP of systemsmay be used. The CIO is primarily responsible for advising the chief executive officer, presi-dent, or company owner on the strategic planning that affects the management of informa-tion in the organization. The CIO translates the strategic plans of the organization as awhole into strategic information plans for the information systems or data processing divi-sion of the organization. Once this is accomplished, CIOs work with subordinate managersto develop tactical and operational plans for the division and to enable planning and man-agement of the systems that support the organization.

The chief information security officer (CISO) has primary responsibility for the assessment,management, and implementation of information security in the organization. The CISO mayalso be referred to as the manager for IT security, the security administrator, or a similar title.The CISO usually reports directly to the CIO, although in larger organizations it is notuncommon for one or more layers of management to exist between the two. However, therecommendations of the CISO to the CIO must be given equal, if not greater, priority than othertechnology and information-related proposals. The placement of the CISO and supporting secu-rity staff in organizational hierarchies is the subject of current debate across the industry.22


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

Information Security Project TeamThe information security project team should consist of a number of individuals who areexperienced in one or multiple facets of the required technical and nontechnical areas. Manyof the same skills needed to manage and implement security are also needed to design it.Members of the security project team fill the following roles:

● Champion: A senior executive who promotes the project and ensures its support, bothfinancially and administratively, at the highest levels of the organization.

● Team leader: A project manager, who may be a departmental line manager or staffunit manager, who understands project management, personnel management, andinformation security technical requirements.

● Security policy developers: People who understand the organizational culture,existing policies, and requirements for developing and implementing successfulpolicies.

● Risk assessment specialists: People who understand financial risk assessment techni-ques, the value of organizational assets, and the security methods to be used.

● Security professionals: Dedicated, trained, and well-educated specialists in all aspectsof information security from both a technical and nontechnical standpoint.

● Systems administrators: People with the primary responsibility for administering thesystems that house the information used by the organization.

● End users: Those whom the new system will most directly affect. Ideally, a selection ofusers from various departments, levels, and degrees of technical knowledge assist theteam in focusing on the application of realistic controls applied in ways that do notdisrupt the essential business activities they seek to safeguard.

Data ResponsibilitiesThe three types of data ownership and their respective responsibilities are outlined below:

● Data owners: Those responsible for the security and use of a particular set of informa-tion. They are usually members of senior management and could be CIOs. The dataowners usually determine the level of data classification (discussed later), as well asthe changes to that classification required by organizational change. The dataowners work with subordinate managers to oversee the day-to-day administration ofthe data.

● Data custodians: Working directly with data owners, data custodians are responsiblefor the storage, maintenance, and protection of the information. Depending on the sizeof the organization, this may be a dedicated position, such as the CISO, or it may bean additional responsibility of a systems administrator or other technology manager.The duties of a data custodian often include overseeing data storage and backups,implementing the specific procedures and policies laid out in the security policies andplans, and reporting to the data owner.

● Data users: End users who work with the information to perform their assigned rolessupporting the mission of the organization. Everyone in the organization is responsiblefor the security of data, so data users are included here as individuals with an infor-mation security role.

30 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1Communities of InterestEach organization develops and maintains its own unique culture and values. Within eachorganizational culture, there are communities of interest that develop and evolve. As definedhere, a community of interest is a group of individuals who are united by similar interests orvalues within an organization and who share a common goal of helping the organization tomeet its objectives. While there can be many different communities of interest in an organiza-tion, this book identifies the three that are most common and that have roles and responsibili-ties in information security. In theory, each role must complement the other; in practice, this isoften not the case.

Information Security Management and ProfessionalsThe roles of information security professionals are aligned with the goals and mission of theinformation security community of interest. These job functions and organizational rolesfocus on protecting the organization’s information systems and stored information fromattacks.

Information Technology Management and ProfessionalsThe community of interest made up of IT managers and skilled professionals in systemsdesign, programming, networks, and other related disciplines has many of the same objec-tives as the information security community. However, its members focus more on costs ofsystem creation and operation, ease of use for system users, and timeliness of system creation,as well as transaction response time. The goals of the IT community and the informationsecurity community are not always in complete alignment, and depending on the organiza-tional structure, this may cause conflict.

Organizational Management and ProfessionalsThe organization’s general management team and the rest of the resources in the organiza-tion make up the other major community of interest. This large group is almost alwaysmade up of subsets of other interests as well, including executive management, productionmanagement, human resources, accounting, and legal, to name just a few. The IT communityoften categorizes these groups as users of information technology systems, while the informa-tion security community categorizes them as security subjects. In fact, this community servesas the greatest reminder that all IT systems and information security objectives exist to fur-ther the objectives of the broad organizational community. The most efficient IT systemsoperated in the most secure fashion ever devised have no value if they are not useful to theorganization as a whole.

Information Security: Is it an Art or a Science?Given the level of complexity in today’s information systems, the implementation of informa-tion security has often been described as a combination of art and science. System technolo-gists, especially those with a gift for managing and operating computers and computer-basedsystems, have long been suspected of using more than a little magic to keep the systems


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

running and functioning as expected. In information security such technologists are sometimescalled security artisans.23 Everyone who has studied computer systems can appreciate the anx-iety most people feel when faced with complex technology. Consider the inner workings ofthe computer: with the mind-boggling functions of the transistors in a CPU, the interactionof the various digital devices, and the memory storage units on the circuit boards, it’s a mira-cle these things work at all.

Security as ArtThe administrators and technicians who implement security can be compared to a painterapplying oils to canvas. A touch of color here, a brush stroke there, just enough to repre-sent the image the artist wants to convey without overwhelming the viewer, or in securityterms, without overly restricting user access. There are no hard and fast rules regulatingthe installation of various security mechanisms, nor are there many universally acceptedcomplete solutions. While there are many manuals to support individual systems, there isno manual for implementing security throughout an entire interconnected system. This isespecially true given the complex levels of interaction among users, policy, and technologycontrols.

Security as ScienceTechnology developed by computer scientists and engineers—which is designed for rigorousperformance levels—makes information security a science as well as an art. Most scientistsagree that specific conditions cause virtually all actions in computer systems. Almost everyfault, security hole, and systems malfunction is a result of the interaction of specific hardwareand software. If the developers had sufficient time, they could resolve and eliminate thesefaults.

The faults that remain are usually the result of technology malfunctioning for any one of athousand possible reasons. There are many sources of recognized and approved securitymethods and techniques that provide sound technical security advice. Best practices, stan-dards of due care, and other tried-and-true methods can minimize the level of guesswork nec-essary to secure an organization’s information and systems.

Security as a Social ScienceA third view to consider is information security as a social science, which integrates some ofthe components of art and science and adds another dimension to the discussion. Social sci-ence examines the behavior of individuals as they interact with systems, whether these aresocietal systems or, as in this context, information systems. Information security begins andends with the people inside the organization and the people that interact with the system,intentionally or otherwise. End users who need the very information the security personnelare trying to protect may be the weakest link in the security chain. By understanding someof the behavioral aspects of organizational science and change management, security admin-istrators can greatly reduce the levels of risk caused by end users and create more acceptableand supportable security profiles. These measures, coupled with appropriate policy and train-ing issues, can substantially improve the performance of end users and result in a more secureinformation system.

32 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1Selected Readings● Beyond Fear by Bruce Schneier, 2006, Springer-Verlag, New York. This book is an

excellent look at the broader areas of security. Of special note is Chapter 4, Systemsand How They Fail, which describes how systems are often implemented and how theymight be vulnerable to threats and attacks.

● Fighting Computer Crime by Donn B. Parker, 1983, Macmillan Library Reference.● Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939–1943 by

David Kahn, 1991, Houghton Mifflin.● Glossary of Terms Used in Security and Intrusion Detection by SANS Institute. This

can be accessed online at www.sans.org/resources/glossary.php.● RFC 2828–Internet Security Glossary from the Internet RFC/STD/FYI/BCP Archives.

This can be accessed online at www.faqs.org/rfcs/rfc2828.html.

Chapter Summary■ Information security evolved from the early field of computer security.

■ Security is protection from danger. There are a number of types of security: physicalsecurity, personal security, operations security, communications security, national security,and network security, to name a few.

■ Information security is the protection of information assets that use, store, ortransmit information from risk through the application of policy, education, andtechnology.

■ The critical characteristics of information, among them confidentiality, integrity, andavailability (the C.I.A. triangle), must be protected at all times; this protection isimplemented by multiple measures (policies, education training and awareness, andtechnology).

■ Information systems are made up of six major components: hardware, software, data,people, procedures, and networks.

■ Upper management drives the top-down approach to security implementation, in con-trast with the bottom-up approach or grassroots effort, whereby individuals choosesecurity implementation strategies.

■ The traditional systems development life cycle (SDLC) is an approach to implementinga system in an organization and has been adapted to provide the outline of a securitysystems development life cycle (SecSDLC).

■ The control and use of data in the organization is accomplished by● Data owners—responsible for the security and use of a particular set of

information● Data custodians—responsible for the storage, maintenance, and protection of the

information● Data users—work with the information to perform their daily jobs supporting the

mission of the organization


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

■ Each organization has a culture in which communities of interest are united by similarvalues and share common objectives. The three communities in information securityare general management, IT management, and information security management.

■ Information security has been described as both an art and a science, and also com-prises many aspects of social science.

Review Questions1. What is the difference between a threat agent and a threat?

2. What is the difference between vulnerability and exposure?

3. How is infrastructure protection (assuring the security of utility services) related toinformation security?

4. What type of security was dominant in the early years of computing?

5. What are the three components of the C.I.A. triangle? What are they used for?

6. If the C.I.A. triangle is incomplete, why is it so commonly used in security?

7. Describe the critical characteristics of information. How are they used in the study ofcomputer security?

8. Identify the six components of an information system. Which are most directly affectedby the study of computer security? Which are most commonly associated with itsstudy?

9. What system is the father of almost all modern multiuser systems?

10. Which paper is the foundation of all subsequent studies of computer security?

11. Why is the top-down approach to information security superior to the bottom-upapproach?

12. Why is a methodology important in the implementation of information security? Howdoes a methodology improve the process?

13. Which members of an organization are involved in the security system developmentlife cycle? Who leads the process?

14. How can the practice of information security be described as both an art and a sci-ence? How does security as a social science influence its practice?

15. Who is ultimately responsible for the security of information in the organization?

16. What is the relationship between the MULTICS project and the early development ofcomputer security?

17. How has computer security evolved into modern information security?

18. What was important about Rand Report R-609?

19. Who decides how and when data in an organization will be used or controlled? Whois responsible for seeing that these wishes are carried out?

20. Who should lead a security team? Should the approach to security be more managerialor technical?

34 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

1Exercises1. Look up “the paper that started the study of computer security.” Prepare a summary

of the key points. What in this paper specifically addresses security in areas previouslyunexamined?

2. Assume that a security model is needed for the protection of information in your class.Using the CNSS model, examine each of the cells and write a brief statement on howyou would address the three components occupying that cell.

3. Consider the information stored on your personal computer. For each of the termslisted, find an example and document it: threat, threat agent, vulnerability, exposure,risk, attack, and exploit.

4. Using the Web, identify the chief information officer, chief information security officer,and systems administrator for your school. Which of these individuals represents thedata owner? Data custodian?

5. Using the Web, find out more about Kevin Mitnick. What did he do? Who caughthim? Write a short summary of his activities and explain why he is infamous.

Case ExercisesThe next day at SLS found everyone in technical support busy restoring computer systems totheir former state and installing new virus and worm control software. Amy found herselflearning how to install desktop computer operating systems and applications as SLS made aheroic effort to recover from the attack of the previous day.

Questions:1. Do you think this event was caused by an insider or outsider? Why do you think this?

2. Other than installing virus and worm control software, what can SLS do to prepare forthe next incident?

3. Do you think this attack was the result of a virus or a worm? Why do you think this?

Endnotes1. Bletchley Park—Home of the Enigma machine. Accessed 15 April 2010 from http://

churchwell.co.uk/bletchley-park-enigma.htm.

2. Peter Salus. “Net Insecurity: Then and Now (1969–1998).” Sane ’98 Online. 19November 1998. Accessed 26 March 2007 from www.nluug.nl/events/sane98/after-math/salus.html.

3. Roberts, Larry. “Program Plan for the ARPANET.” Accessed 26 March 2007 fromwww.ziplink.net/~lroberts/SIGCOMM99_files/frame.htm.

4. Roberts, Larry. “Program Plan for the ARPANET.” Accessed 8 February 2007 fromwww.ziplink.net/~lroberts/SIGCOMM99_files/frame.htm.


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

5. Schell, Roger R., Downey, Peter J., and Popek, Gerald J. Preliminary Notes on theDesign of Secure Military Computer System. January 1973. File, MCI-73-1, ESD/AFSC, Hanscom AFB, Bedford, MA 01731.

6. Bisbey, Richard, Jr., and Hollingsworth, Dennis. Protection Analysis: Final Report.May 1978. Final report, ISI/SR-78-13, USC/Information Sciences Institute, Marina DelRey, CA 90291.

7. Grampp, F. T., and Morris, R. H. “UNIX Operating System Security.” AT&T BellLaboratories Technical Journal 63, no. 8 (1984): 1649–1672.

8. Peter Salus. “Net Insecurity: Then and Now (1969–1998).” Sane ‘98 Online. 19November 1998. Accessed 26 March 2007 from www.nluug.nl/events/sane98/after-math/salus.html.

9. Willis Ware. “Security Controls for Computer Systems: Report of Defense ScienceBoard Task Force on Computer Security.” Rand Online. 10 October 1979. Accessed8 February 2007 from www.rand.org/pubs/reports/R609-1/R609.1.html.

10. Willis Ware. “Security Controls for Computer Systems: Report of Defense ScienceBoard Task Force on Computer Security.” Rand Online. 10 October 1979. Accessed8 February 2004 from www.rand.org/publications/R/R609.1/R609.1.html.

11. Merriam-Webster. “security.” Merriam-Webster Online. Accessed 8 February 2007from www.m-w.com/dictionary/security.

12. National Security Telecommunications and Information Systems Security. NationalTraining Standard for Information Systems Security (Infosec) Professionals. 20 June1994. File, 4011. Accessed 8 Feb 2007 from www.cnss.gov/Assets/pdf/nstissi_4011.pdf.

13. Lemos, R. “HP’s pretext to spy,” Security Focus Online. Accessed 21 June 2007 fromwww.securityfocus.com/brief/296.

14. “ChoicePoint Data Theft Affected Thousands.” Wall Street Journal (Eastern edition).22 February 2005. New York, 1.

15. Dash, J. “ACLU Knocks Eli Lilly for Divulging E-Mail Addresses,” Computerworld35, no. 28 (9 July 2001): 6.

16. CyberCrime Staff. “FDA Flub.” G4. Accessed 8 February 2007 from www.g4tv.com/techtvvault/features/39450/FDA_Flub.html.

17. Wikipedia. “The McCumber Cube.” Accessed 16 February 2007 from http://en.wiki-pedia.org/wiki/McCumber_cube.

18. McCumber, John. “Information Systems Security: A Comprehensive Model.” Proceed-ings of the 14th National Computer Security Conference, National Institute of Stan-dards and Technology, Baltimore, MD, October 1991.

19. Microsoft. “C2 Evaluation and Certification for Windows NT (Q93362).” MicrosoftOnline. 1 November 2006. Accessed 25 January 2007 from http://support.microsoft.com/default.aspx?scid=kb;en-us;93362.

20. Adapted from Sandra D. Dewitz. Systems Analysis and Design and the Transition toObjects. 1996. New York: McGraw Hill Publishers, 94.

36 Chapter 1

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

121. Grance, T., Hash, J., and Stevens, M. Security Considerations in the Information Sys-

tem Development Life Cycle. NIST Special Publication 800-64, rev. 1. Accessed 16February 2007 from http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf.

22. Mary Hayes. “Where The Chief Security Officer Belongs.” InformationWeek no. 877(25 February 2002): 38.

23. D. B. Parker. Fighting Computer Crime. 1998. New York: Wiley Publishing, 189.


© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.

© C

enga

ge L

earn

ing.

All

right

s res

erve

d. N

o di

strib

utio

n al

low

ed w

ithou

t exp

ress

aut

horiz

atio

n.